Researchers at Newcastle University have identified a major vulnerability in Visa’s contactless cards that could allow hackers to steal huge amounts of money from users’ accounts without their knowledge.
Contactless credit cards allow users in the UK to make transactions that cost less than £20 without entering their PIN, speeding up the process and improving customer convenience. However researchers have found that the limitation on the amount can be increased by changing the default currency into a new one.
Using this method, hackers can set up a rogue point of sale (POS) terminal on a cellphone or another system similar to the one placed illegally on ATMs, and can enter any amount for the transaction.
Since all the security checks are done on the card and not on the terminal, there is hardly anything to raise suspicion at this point of the transaction. A criminal can pre-set the amount, bump their mobile phone against someone’s pocket, or swipe their phone over a purse and get the transaction approved. When the researchers tested this method, most transactions were approved in almost a second.
Researcher Martin Emms admitted that his team hadn’t tested the processes at the back end. He appreciated the fact that banks have several security measures in place to protect their users and prevent fraud; however, the recent discovery has unraveled a major flaw in the payment system.
With just a cellphone, the researchers managed to create a POS terminal capable of reading a credit card through a pocket or wallet. When this rogue POS terminal is touched against the credit card, the card will supply a code and the transaction will be approved. This code will then be sent to the financial institution to release the funds.
By carrying out these transactions offline, criminals can avoid further security checks. The existing system requires the card to verify itself; however, the point of sale terminal is not required to authenticate itself.
“This lends itself to multiple attackers across the world collecting small transactions of perhaps €200 at a time for a central rogue merchant who could be located anywhere in the world,” said Emms.
“This previously undocumented flaw around foreign currency, combined with the lack of POS terminal authentication and the ease of skimming contactless credit cards, makes the system more vulnerable to high-value attacks.”
The contactless credit cards issued by Visa may approve cash transactions in foreign currency of up to 999,999.99. To make the transaction appear legitimate, all a criminal has to do is be present at a place such as the London underground or an airport where different currencies are used all the time.
Since cyber criminals are exploring all possible ways to break into the system, they will exploit this vulnerability sooner or later. The researchers also said that the payment protocol does not clearly mention a way in which the banks would handle this inconsistency. However, Visa doesn’t seem to be worried. They said that the researchers hadn’t considered the multiple safeguards they employ to prevent such types of attacks. They also ruled out the possibility of similar attacks being replicated outside the lab.
The researchers presented their findings at the CCS 2014 academic conference in Arizona.